Fergie's Tech Blog

Friday, November 06, 2009

U.S. Toll in Iraq, Afghanistan

As of Friday, Nov. 6, 2009, at least 4,359 members of the U.S. military had died in the Iraq war since it began in March 2003, according to an Associated Press count.

The figure includes nine military civilians killed in action. At least 3,475 military personnel died as a result of hostile action, according to the military's numbers.

The AP count is one fewer than the Defense Department's tally, last updated Friday at 10 a.m. EDT.

As of Friday, Nov. 6, 2009, at least 833 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures Friday at 10 a.m. EDT.

Power Outages In Brazil Were Result of Cyber Attacks?

A series of power outages affecting millions of people in Brazil in 2005 and 2007 were the result of cyber attacks, 60 MINUTES has learned. The two-day event in Espirito Santo State affecting more than three million people in 2007 and another, smaller event in three cities north of Rio de Janeiro in January 2005 were perpetrated by hackers manipulating control systems. The revelation is part of a Steve Kroft investigation into how computers and the Internet can be used as weapons to be broadcast on 60 MINUTES Sunday, Nov. 8 (7:00-8:00 PM, ET/PT) on the CBS Television Network.

Former Chief of U.S. National Intelligence Retired Adm. Mike McConnell believes it could happen in America. “If I were an attacker and wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer,” he tells Kroft. “I would probably sack electric power on the U.S. East Coast, maybe the West Coast and attempt to cause a cascading effect.” If hackers did attack the U.S. power grid, “The United States is not prepared for such an attack.” says McConnell.

Congressman Jim Langevin (D.- R.I.), who chaired a subcommittee on cyber security, agrees. He says that U.S. power companies need to be forced to deal with the issue after they told Congress they would take steps to defend their operations but did not follow up. “They admit that they misled Congress,” says Langevin, and they still haven’t made much progress. “The private sector has different priorities than we do in providing security. Their…bottom line is about profits,” he tells Kroft. “We need to change their motivation so that when see vulnerability like this, we can require them to fix it.”

Computer hackers have struck in the U.S. already. “People talk about cyber Pearl Harbors, …we probably had our electronic Pearl Harbor,” says Jim Lewis, director of the Center for Strategic and International Studies which oversaw a study on cyber security for the Obama Administration. He is referring to a breach of computer security resulting in the downloading of huge amounts of critical information from several governmental departments, including Defense, State and Commerce. “So we probably lost the equivalent of a Library of Congress worth of information in 2007,” he says.

Opinion: Government Must Attract More Cyber-Security Talent

As if running a government cyber-security program wasn't already challenging, a recently released report by Booz Allen Hamilton and the Partnership for Public Service titled Cyber In-Security [.pdf] reminds us that one of the critical, nontechnical problems lurking on the horizon is the shrinking number of qualified cyber-security experts interested in working for the government.

The report is a result of a survey of CIOs, chief information security officers and HR officials from the federal government. It found, among other things, that "the pipeline of potential new talent is inadequate." The report further states that "there are concerns that America is not developing enough IT experts, creating labor shortages in both the public and private sector." We've been hearing for a few years now about the IT work force "retirement bubble," but this is the first report I'm aware of that focuses specifically on the cyber-security work force.

While risk management is a fundamental component of any good cyber-security program, the overall goal of risk management isn't simply to protect an organization's IT assets, but to protect the institution's ability to carry out its mission. If we accept the definition of risk management as "the process of identifying, assessing and reducing risk to an acceptable level and implementing the right mechanisms to maintain that level of risk," our cyber-security work force issue means, "Houston, we have a problem."

Raid on Romanian Bank Card Skimming Ring

Police in Romania this week swooped in on 19 members of an alleged international credit and debit card skimming ring that’s been active in Switzerland, Italy, France, and the U.S., according to local reports.

Romania’s national Directorate for Countering Organized Crime staged 23 coordinated raids Tuesday, most of them in the city of Craiova, according to the Gazeta de Sud. The police found fake ATM components, card readers, five luxury cars, lots of cash, 100 cloned cards, documents showing wire transfers, and at least one handgun.

The police had been secretly watching the gang for 9 months, and moved in after intercepting a package Tuesday containing 31 tiny circuit boards designed to surreptitiously intercept and store data from magstripe swipes.

Thursday, November 05, 2009

U.S. DoD Approves New Credentials for Security Professionals

The Defense Department has approved new credentials for information security professionals. The directive is expected to result in more than 100,000 personnel obtaining professional credentials.

DOD approved the (ISC) 2 Certification and Accreditation Professional (CAP), which requires that all DOD information assurance workers obtain a professional certification accredited under the global ANSI/ISO/IEC Standard 17024.

CAP certifies that the holder has in-depth knowledge of Certification and Accreditation, a formalized process for assessing IS risks and security requirements and ensuring that the systems have adequate security in place.

DOD and the National Institute of Standards and Technology are jointly trying to create a single C&A process across the government. CAP is undergoing changes to comply with the new C&A requirements, which go into effect March 2010.

U.S. Builds Largest Biometric Database

One of the most important innovations in the FBI's post-9/11 counterterrorism efforts consists of a portable workstation and a miniaturesatellite dish. Called the Quick Capture Platform (QCP), it electronically scans fingerprints and beams them to a database here.

"What it provides is the capability from anywhere for an agent to send prints to the FBI's Integrated Automated Fingerprint Identification System (IAFIS) and the Defense Dept.'s Automatic Biometric Identification System (ABIS)," says Roy Bowlen of the FBI, who helped develop the system.

IAFIS and ABIS together make up the largest trove of fingerprint data in the world.

The fingerprints are scanned into a digital format and data are beamed via satellite to an underground data center. There, the computerized systems search the database and shoot back matches, "a lot of times in under 2 min.," says Bowlen.

Cyber Criminals Down Five British Police Forces in a Year

In the last year five British police forces have suffered major computer failures lasting three days or more as a result of malicious internet attacks.

The spate of intrusions by cybercriminals and the resulting outages was revealed recently by a senior authoritative source, who can't be identified because the disclosure was made under the Chatham House rule.

The source did not reveal which forces were the victims of the attacks or the method used.

The Association of Chief Police Officers, which coordinates police strategy nationally, declined to comment on the incidents.

Despite the official silence on the matter, the news of repeated breaches raises serious questions over the standard of police information security.

'Remember, Remember, The Fifth of November...'

Prosecutors: We Can Frame You With Impunity

Prosecutors trying to put you in prison for a crime you didn’t commit can fabricate evidence, coerce witnesses into lying on the stand, and enjoy absolute immunity. They cannot go to prison. They cannot even be sued. They aren’t even likely to get so much as a reprimand from the bar association or from their bosses, even after publicly admitting to framing you.

So argued an attorney for Joseph Hrvol and David Richter, prosecutors in Pottawattamie County, Iowa, who argued in front of the U.S. Supreme Court Wednesday in their case, Pottawattamie County v. McGhee, that they were entitled to absolute immunity for their roles in knowingly putting two teenagers in prison for murder.

In 1977, the two prosecutors coerced Kevin Hughes into lying on the stand, telling him what to say, in order to obtain convictions against Curtis W. McGhee Jr. and Terry J. Harrington, both 16 at the time. The two would spend 25 years in prison for the murder of a retired police officer who was working as a security guard in Council Bluffs, despite the facts that Hughes changed his story several times before trial and that prosecutors also let a more likely suspect in the case get away and covered it up. Their convictions were finally overturned in 2003 by the Iowa Supreme Court, which found that Hughes had committed perjury.

The courts have held that prosecutors enjoy absolute immunity under the common law for any actions they take at trial, though only qualified immunity when they perform police functions such as investigating crimes and gathering evidence. Stephen S. Sanders, the attorney for the prosecutors, argued that since they used the fabricated evidence at trial, they should be covered by absolute immunity.

Tech Titans Meet in Secret to Plug SSL Hole

Researchers say they've uncovered a flaw in the secure sockets layer protocol that allows attackers to inject text into encrypted traffic passing between two endpoints.

The vulnerability in the transport layer security protocol allows man-in-the-middle attackers to surreptitiously introduce text at the beginning of an SSL session, said Marsh Ray, a security researcher who discovered the bug. A typical SSL transaction may be broken into multiple sessions, providing the attacker ample opportunity to sneak password resets and other commands into communications believed to be cryptographically authenticated.

Practical attacks have been demonstrated against both the Apache and Microsoft IIS webservers communicating with a variety of client applications. A consortium of some of the world's biggest technology companies have been meeting since late September to hash out a new industry standard that will fix the flaw. A draft is expected to be submitted on Thursday to the Internet Engineering Task Force.

"A core security guarantee made by TLS is violated as a result of this problem," said Steve Dispensa, CTO of Phonefactor, a provider of two-factor authentication services, the company where Ray works. "It's going to take a while for the protocol changes necessary to be rolled out, because every browser and every server in the world is going to have to be patched."

Wednesday, November 04, 2009

New Cyber Security Role for NIST?

A bill that would expand the National Institute for Standards and Technology’s role in cybersecurity cleared a House subcommittee today.

NIST would be responsible for developing a plan to coordinate the government’s work with international organizations developing cybersecurity standards under the bill approved by the House Science and Technology Committee’s Technology and Innovation Subcommittee.

The legislation would also have NIST work with agencies, industry and academia to start a public awareness and education campaign on cybersecurity risks, consequences and best practices.

The measure would also require NIST to support the development of technical standards to improve interoperability among identity management technologies and bolster authentication methods of identity management systems. The program would also work to improve privacy protection in identity management systems.

U.S. Congress May Require ISPs to Block Fraud Sites

For the last decade or so, Internet service providers have been dealing with requests to block access to pornographic or copyright-infringing Web sites, or in China, ones that dare to criticize the government.

Now a U.S. House of Representatives bill is taking the unusual step of requiring Internet providers to block access to online financial scams that fraudulently invoke the Securities Investor Protection Corporation--or face fines and federal court injunctions.

The House Financial Services Committee approved the legislation on Wednesday by a 41 to 28 vote.

If you've never heard of the SIPC, you're not alone. It's a government-linked entity that aids investors when funds are missing from their accounts, up to a limit of $500,000 for stocks, bonds, and mutual funds. Only investor accounts that investors have opened with members of the SIPC qualify for its protection.

Business e-Banking and The 6-Figure Password

On Monday, Security Fix featured the story of Ronnie Cutshall, a Tennessee man who was caught up in an international money laundering scam after being recruited through a work-at-home job offer. That story mentioned that Cutshall received a $9,600 transfer from a company called American Realty, but that I didn't have any luck in tracking down the victim company.

Today the American Realty company affected by that scam contacted me after reading my story (turns out they're located in Shalimar, Fla., not Georgia, as I had previously thought). A few weeks ago, an American Realty employee clicked a link in an e-mail scam that spoofed an IRS alert about unreported income. The Web site linked to in that message quietly installed a password-stealing Trojan horse program named Zeus. From there, the perpetrators were able to swipe the company's online banking credentials, and initiate unauthorized payroll payments to Cutshall and about 20 other individuals.

In all, the hackers transferred $195,000 out of American Realty's bank account. So far, the company has retrieved just $45,000 of the stolen money.

Denny Naugle, operations director at American Realty, said the company is drafting papers to sue their bank.

"The bank said it detected that this was likely fraud, but they let the transfers go through anyway," Naugle said. "They're saying it's our fault because we gave our password information away."

Faint

Within the last several months, the FBI has seen a significant increase in fraud involving the exploitation of valid online banking credentials belonging to small and medium businesses, municipal governments, and school districts. In a typical scenario, the targeted entity receives a "spear phishing" email which either contains an infected attachment, or directs the recipient to an infected web site. Once the recipient opens the attachment or visits the web site, malware is installed on their computer. The malware contains a key logger which will harvest the recipients business or corporate bank account log-in information. Shortly thereafter, the perpetrator either creates another user account with the stolen log-in information, or directly initiates funds transfers by masquerading as the legitimate user. These transfers have occurred as both traditional wire transfers and as ACH transfers.

Further reporting has shown that the transfers are directed to the bank accounts of willing or unwitting individuals within the United States. Most of these individuals have been recruited via work-at-home advertisements, or have been contacted after placing resumes on well-known job search web sites. These persons are often hired to "process payments", or "transfer funds". They are told they will receive wire transfers into their bank accounts. Shortly after funds are received, they are directed to immediately forward most of the money overseas via wire transfer services such as Western Union and Moneygram.

Customers who use online banking services are advised to contact their financial institution to ensure they are employing all the appropriate security and fraud prevention services their institution offers.

Security Firm M86 Acquires Finjan

Web and e-mail security provider M86 Security was set to announce on Tuesday the acquisition of Finjan.

Finjan brings to the table a secure Web gateway product and software-as-a-service solutions, M86 said in a statement. Under the merger, which is effective immediately, Finjan will maintain a development center and operations in Netanya, Israel.

U.S.-based Finjan SW will remain an independent company to retain its malware detection intellectual property, according to a statement.

M86 was created a year ago with the merger of Marshal and 8e6. In March 2009, the combined company acquired behavioral malware detection company Avinti.